I referred back to the Pragmatic CSO tips when I started the Vulnerability Management Evolution series (the paper hit yesterday, by the way) and there was some good stuff in there, so let me once again dust off those old concepts and highlight another one. This one dealt with the reality that you are a business person, not a security person.
When I first meet a CSO, one of the first things I ask is whether they consider themselves a “security professional” or a “finance/health care/whatever other vertical professional.” 8 out of 10 times they respond “security professional” without even thinking. I will say that it’s closer to 10 out of 10 with folks that work in larger enterprises. These folks are so specialized they figure a firewall is a firewall is a firewall and they could do it for any company. They are wrong.
One of the things preached in the Pragmatic CSO is that security is not about firewalls or any technology for that matter. It’s about protecting the systems (and therefore the information assets) of the business and you can bet there is a difference between how you protect corporate assets in finance and consumer products. In fact there are lots of differences between doing security in most major industries. There are different businesses, they have different problems, they tolerate different levels of pain, and they require different funding models.
To put it another way, a health care CSO said it best to me. When I asked him the question, his response was “I’m a health care IT professional that happens to do security.” That was exactly right. He spent years understanding the nuances of protecting private information and how HIPAA applies to what he does. He understood how the claims information between providers and payees is sent electronically. He got the BUSINESS and then was able to build a security strategy to protect the systems that are important to the business.
So let’s say you actually buy into this line of thinking. You spend a bunch of time learning about banking, since you work for a bank. Or manufacturing since your employer makes widgets. It’s all good, right? Well, not so much. What happens when your business changes? Maybe not fundamentally, but partially? You have to change with it.
Let me give you an example that’s pretty close to home. My Dad’s wife is a candy importer. She sources product from a variety of places and sells via her own brand in the US, or using the manufacturer’s brand when that makes sense. We were talking recently and she said they had a good year in 2011. I figured that was the insatiable demand for sweets driving the business (fat Americans pay her bills), but in fact it was a couple savvy currency hedges that drove the additional profits. That’s right, the candy importer is actually a currency trader. Obviously that means she has to deal with all sorts of other data types that don’t pertain to distributing candy, and that data needs to be protected differently.
That example pretty simple, but what if you thought you were in the transportation business, and then your employer decided to buy a refinery? Yes, Delta is now in the refining business. So their security team, who knows all about protecting credit cards and ensuring commerce engines (web site and reservation systems) don’t fall over under attack, now gets to learn all about the attack surface of critical infrastructure.
Obviously huge conglomerates in unrelated businesses roamed the earth back in the 80s, fueled by Milken-generated junk bonds and hostile takeovers. Then the barbarians at the gates were slain, and the pendulum swung back to focus and scale for the past couple decades. It should be no surprise when we inevitably swing back the other way – as we always do. It’s a good thing that security folks are naturally curious. As Rich posted in our internal chat room yesterday:
I can’t remember a time in my life when I didn’t poke and prod. You can’t be good at security if you think any other way. – Rich Mogull
If you aren’t comfortable with the realization that no matter how much you know, you don’t know jack, you won’t last very long in the security business. Or any business, for that matter.
Photo credit: “Learning by Doing” originally uploaded by BrianCSmith